Same here - we have multiple projects developed with Wicket 7 and 8 and it would be long before all the projects could be migrated to JDK 11+ and Apache Wicket 9.x. It would be truly helpful if the Wicket Team could help with a security fix.
Thank you, -Mihir. On Fri, Jan 24, 2025 at 11:43 AM Jonathan Babie <jba...@osc.ny.gov.invalid> wrote: > Hello, > > I was just looking to see if there are plans to address this in Wicket 8.x > since it's still in security fixes only status. Any information would be > greatly appreciated and thank you again. > > Thank you, > > Jonathan Babie > > Information Technology Specialist IV > > Java Applications Unit | CIO | OSC > > Work: (838) 910-4274 > > Personal: (518) 331-8758 > > ________________________________ > From: Pedro Santos <pe...@apache.org> > Sent: Thursday, January 23, 2025 10:21 AM > To: us...@wicket.apache.org <us...@wicket.apache.org>; > dev@wicket.apache.org <dev@wicket.apache.org> > Subject: CVE-2024-53299: Apache Wicket: An attacker can intentionally > trigger a memory leak > > Severity: critical > > Affected versions: > > - Apache Wicket 7.0.0 through 7.18.* > - Apache Wicket 8.0.0-M1 through 8.16.* > - Apache Wicket 9.0.0-M1 through 9.18.* > - Apache Wicket 10.0.0-M1 through 10.2.* > > Description: > > The request handling in the core in Apache Wicket 7.0.0 on any platform > allows an attacker to create a DOS via multiple requests to server > resources. > Users are recommended to upgrade to versions 9.19.0 or 10.3.0, which fixes > this issue. > > Credit: (finder) > > References: > > https://lists.apache.org/thread/gyp2ht00c62827y0379lxh5dbx3hhho5 > https://wicket.apache.org/ > https://www.cve.org/CVERecord?id=CVE-2024-53299 > Notice: This communication, including any attachments, is intended solely > for the use of the individual or entity to which it is addressed. This > communication may contain information that is protected from disclosure > under State and/or Federal law. Please notify the sender immediately if you > have received this communication in error and delete this email from your > system. If you are not the intended recipient, you are requested not to > disclose, copy, distribute or take any action in reliance on the contents > of this information. >
